Setting Up HTTPS MojoMojo FastCGI with Pound, Varnish, NGINX

Overview
FastCGI
- FastCGI Configuration
- FCGI::Engine::Manager Script
NGINX
Varnish
- Simpleton Option
- VCL Option
Pound
Footnotes

Overview

This paper discusses how to setup an HTTPS MojoMojo instance to run as a FastCGI process that is connected to the NGINX web server which is connected to Varnish reverse proxy / HTTP accelerator which in turn is connected to Pound which acts as a HTTPS wrapper to Varnish.

FastCGI

All Catalyst applications come with the ability to run as a FastCGI application. MojoMojo is no exception. The basic approach involves starting script/mojomojo_fastcgi.pl and connecting a web front-end to it such as Apache or NGINX. For easier management (start/stop/restart) of them fastcgi process, I’m going to use FCGI::Engine and FCGI::Engine::Manager.

FastCGI Configuration

The file script/mojomojo_fastcgi_manager.yml contains configuration information for the fastcgi processes. In YAML format it looks like:

---
- name:            "mojomojo.server"
  server_class:    "FCGI::Engine::Manager::Server"
  scriptname:      "script/mojomojo_fastcgi.pl"
  nproc:            3
  pidfile:         "/tmp/mojomojo.pid"
  socket:          "/tmp/mojomojo.socket" 
  additional_args: [ "-I", "lib/" ]

This example uses a Unix socket (which limits access to the localhost)¹.

FCGI::Engine::Manager Script

The script to manage the FastCGI processes is:

#!/usr/bin/perl

eval { use FCGI::Engine::Manager };
if ($@) { print "You need to install FCGI::Engine to run this script\n"; }

my $m =
  FCGI::Engine::Manager->new( conf => 'script/mojomojo_fastcgi_manage.yml' );

my ( $command, $server_name ) = @ARGV;
$m->start($server_name)        if $command eq 'start';
$m->stop($server_name)         if $command eq 'stop';
$m->restart($server_name)      if $command eq 'restart';
$m->graceful($server_name)     if $command eq 'graceful';
print $m->status($server_name) if $command eq 'status';

=head1 Usage

NOTE: Run this script from the parent directory so path to configuration is correct.

  perl script/mojomojo_fastcgi_manage.pl start
  perl script/mojomojo_fastcgi_manage.pl stop
  perl script/mojomojo_fastcgi_manage.pl restart mojomojo.server 
  

=head1 Web Server Configuration

=head2 Apache

In an apache conf file:

FastCgiExternalServer /tmp/mojomojo.fcgi -socket /tmp/mojomojo.socket
Alias /wiki /tmp/mojomojo.fcgi/

NGINX

Next I want to configure the NGINX web server to use the fastcgi socket. In addition, for performance, I will tell the web server to serve files in the static directory instead of those being server by the fastcgi application.

The file /etc/nginx/sites-enabled/default contains:


server {
        listen   8080;
        server_name  localhost;

        access_log  /var/log/nginx/localhost.access.log;

        # mojomojo fastcgi
        location / {
                include fastcgi_params;
                fastcgi_pass  unix:/tmp/mojomojo.socket;
        }
        location /.static {
                alias /home/hunter/dev/mojomojo/root/static;
                expires 24h;
        }
        location /.upload {
                alias /var/lib/mojomojo/uploads;
        }
}

NOTE: The web server is told where the socket is with the fastcgi_pass directive. In addition, we include the file fastcgi_params which requires a single line edit². Other parts to the configuration are the .static and .upload locations that tell NGINX to serve those files directly, i.e.don’t request them through fastcgi process. The expires line will Finally we tell NGINX to listen in on port 8080 of the localhost³.

Varnish

Varnish is a reverse-proxy that also provides caching for HTTP acceleration. For instance, Varnish can take advantage of the HTTP headers for caching that the PageCache plugin creates⁴. I am using the packaged version of Varnish for Lenny Debian, 1.1.2. I am cherry-picking from Jay Kuri’s Catalyst Advent article about varnishing your Catalyst sites

Simpleton Option

The first option I was able to get working with Lenny package of Varnish is Alternative 1 of /etc/default/varnish

DAEMON_OPTS="-a localhost:6081 \
             -T localhost:6082 \
             -b localhost:8080 \
             -u varnish -g varnish \
             -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G"

NOTE: With this option I am not even sure what will be cached. I think the second alternative with VCL configuration is where one needs to go.

VCL Option

/usr/local/sbin/varnishd -a localhost:6081       \
         -T localhost:6082                       \
         -f /usr/local/etc/varnish/default.vcl   \
         -s file,/tmp/varnish_storage.bin,1G

Pound

Varnish does not provide https support. Its main focus is caching which is not possible (difficult) with https since each request has a unique signature even if one is going after the same object. The Varnish documentation FAQ suggests pound or stunnel. We’ll use pound here⁵.

ListenHTTPS
        Address 100.101.102.103
        Port    8888
        Cert "/etc/pound/my.server.com.pem"

        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
        xHTTP           0

        Service
                BackEnd
                        Address 127.0.0.1
                        Port    6081
                End
        End
End

Footnotes

¹ Alternatively, one could choose a TCP socket to access a remote fastcgi instance of MojoMojo.

² The fastcgi_params file is found at: /etc/nginx/fastcgi_params and contains one modification form the original version provided by the debian package. Replace SCRIPT_NAME with PATH_INFO.

³ The use of Unix socket and localhost will keep the fastcgi and NGINX processes from being available remotely. We will run Varnish on localhost as well, but the front-end Pound will listen to the public Internet address of the server.

⁴ This is done with the set_http_headers => 1

⁵ The reason for choosing pound over stunnel was because it seemed easy to get running, and that proved true.

Showing changes from previous revision. ~~Removed~~ | Added

Revision by hunter, 2009-12-10